Jacket-X is a leading manufacturer of industrial grade gloves and jackets. The company is located in a large city where it produces jackets which are mainly used by professionals dealing with safety related applications. The company also deals with the manufacturer and development of new designs for gloves. The company’s HR department had been experiencing issues with payroll even though the company never used any form of fraud.
The company decided to put in place a mechanism dealing with vulnerability assessment, as well as a strategy to check the company’s network system to assess any form of vulnerabilities which could allow any external unauthorized access to the facility. In the past, the company had experienced a case of malware infection which nearly interfered with network system, almost bringing it down. This called for an urgent need to check the IT check up in preparation for an external audit. Therefore, the need for cyber security capability within organizations has been highlighted recently with the increases in cases of hacking which have been consistent within the organization before realizing that it was under attack. According to Wilshusen, 2010, cyber attack is likely to have far reaching consequences to any organization as making efforts to build and maintain trust and repair potential reputation with the customers and stakeholders.
Cyber Threats and Vulnerabilities
Cyber threats and vulnerabilities are associated with the organization’s IT system (Campbell, 2012). There are different types of threats that the company may experience. For example, in the employee individual timestamp entry, the following may be observed. Bogus employees may get added to the payroll master file. On the other hand, false timecards can be created. Issues may also arise where the payroll specialists can alter payroll details in the validation phase. Furthermore, when assigning groups of employees to supervisors, payroll administrators may create falsified checks. In addition, specialists and administrators can access management metrics that they are not allowed to have access. However, the other challenge may include the deletion of payrolls which are important to the company’s audit requirements.
The other cyber security threat which may be experienced by the organization may affect the in-house payroll validation. In this case, payroll administrators can intentionally delete the payrolls which are very vital for audit requirements. Falsified checks can also be created. Paycheck generation records may not be kept safely for audit purposes, employee wages may be directed to different accounts. Other cyber security threats may be experienced during payroll generation, which may be similar to the threats identified in the employee individual timestamp entry. In addition, payroll specialist may also alter the in-house payroll data.
In the area of paycheck generation, cyber security threats which may be encountered include access to the management metrics which should not be viewed by the specialists or administrators. In addition, vital data can be retrieved, get stolen, and exported Excel files can be viewed. The other threats which can be experienced in this area include the lack of appropriate storage of the paycheck generation records for audit purposes. In addition, fake independent contactors may be created in the payroll master file.
The company may also experience cyber threats in the management reports where data exported in Excel file can be tampered with or stolen. On the other hand, specialists and administrators may have an access to the management metrics which they are not supposed to view. Staff may also be guaranteed leave without consent, as well as other threats identified in other areas.
The other threats may be experienced in the federal and state government reports. In this case, employees may be issued with payments twice through direct deposits and paychecks. Fake independent contractors may also interfere with the process. On the other hand, payroll administrators may also tamper with the payments which are not properly processed. Furthermore, vital information may also be stolen, as well as the diversion of employee wages to different accounts. Finally, the last area which may be affected by the cyber security threat is in direct deposit. In this case, falsified checks may be created and lack of proper storage of paycheck generation records which may not be stored for audit purposes. The other threats that the company may experience include the issuance of the payments twice through direct deposits and paychecks, as well as channeling the employee wages to different accounts.
Corrective Measures
The company should put in a place corrective measures in order to deal with the system vulnerabilities. For instance, submitted timecards should be easily editable. However, the cost of maintaining the audit trails is too high. The advantage of the editable time cards is that it enables the time keeper to find getting an approval of an editing error unnecessary hassle. In the area of independent contractor payroll entries, the validating authority should be given an access to editing. In addition, the company needs a more rigid control in the creation of independent contactors on the payroll master file. Furthermore, the payroll specialists should have a limited access to editing payroll data after validation. The other measure is to prohibit the supervisors from accessing the stored data. However, the creation of additional system validation steps for adding independent contactors on the payroll master file would be necessary. In the in-house payroll validation, the entire process should appear secure in terms of clearly differentiated roles and access privileges. The company should ensure that it brings in additional validation step from a payroll employee.
In the area of payroll generation, the changes which are experienced should be approved by the management. However, by covering all the data bases, there will be no cyber security threat since it is secure. In the paycheck generation, the process should not be exploited within the system, even though there is no potential systemic vulnerability. The audit records should be stored. Other measures such as email alerts should be put in place. In addition to mailing the audit trails, they should also be stored.
In the area of management reports, management metrics should not be in the purview of the specialists and the administrators. Moreover, all the emails should be monitored and secured. This requires disabling of the USB drives in order to prevent the employees from stealing any company documentation. Consequently, the federal and state government reports, even though the Excel exports may be a bad idea, should be kept safely with customized passwords. However, the company should make efforts to minimize the federal government reports. Finally, in the area of direct deposit, the company should emphasize on one system which precludes others. Even though the system may be secure, it should be restrictive enough.
Management Requirements and Policy Considerations
It is a challenging task for managers to keep their businesses secure. In addition, whereas security is vital in a business environment, the security requirements must be evaluated in terms of costs and benefits. In order to maintain a sufficient security operation, it is important to appropriate operating freedom to ensure that the organization becomes productive. Thus, security specialists should be in a position to defend the IT network implementation to the auditors.
In order to ensure network security, network connection should only be accessible to the network security professionals. The company should sign the contract with McAfee for its network security application. The other important factor to consider is the modification of the network access rights in order to avoid complains from the employees. The company has signed security alerts from two vendors by reconfiguring the firewalls. I order to ensure data storage security, the company shifted from a user-based file system to a group and role based file system. On the other hand, in order to ensure password security, network specialists should ensure that hackers cannot obtain the password information in case a single machine is compromised.
Conclusion
The most common areas that are vulnerable to network include physical network security, data encryption, controlled user access, unauthorized access detection, as well as sufficient logs of network connection. In the protocols and services, important areas to consider include lack of knowledge of security vulnerabilities, secure network component configuration, as well as software access log. Other important areas to consider include user security, data storage security and password security.
